I need your help regarding a topic "Unauthorized user administration".
I need to implement few usecases in our SIEM tool which triggers an alert when there is an "unauthorized administration is detected".
Scope is on windows and linux operating systems.
* Creating a local account on a workstation.
* Creating a local admin group on a workstation.
* Add user to a local admin group on a workstation.
* User password set to never expire.
* Admin account password reset.
Can you think of any other scenarios which can be considered as "unauthorized user administration"
Thanks in advance.